The present invention relates generally to the Internet, and more specifically to Internet security. More particularly still, the present invention provides a method and system of alerting Internet Service Providers (ISPs) that a hacker may be using their system to attempt to gain unauthorized access to a server.
The Internet seems to be christened by Wall Street as the business wave of the future. This is because users of the Internet have the ability to quickly and accurately complete business transactions at remote and dispersed locations and with practically no transactional costs. Furthermore, access to the Internet is cheap, with many Internet computers actually being given away for free when Internet access is purchased for as little as fifteen dollars each month. Accordingly, it is estimated that by the year 2000 over half the households in the United States will have access to the Internet.
Because of widespread access to the Internet, people are using the Internet to access services for information on topics ranging from animals to zoos. When coupled with the vast amounts of university information already on the Internet, it can be seen that the Internet is beginning to fulfill its early promise as an educational clearing house of information. To take advantage of this rapidly growing community, many businesses, educational institutions, as well as national, state, and local governments, have connected to the Internet. Unfortunately, the ease with which users can gain access to the Internet also provides unscrupulous users easy access to information that another user does not desire to make publicly available when that information is maintained on a server that is connected to the Internet.
Access to the Internet is achieved through a computing platform, typically a server or a computer, that has a connection to an Internet Service Provider (ISP). Sometimes, a user may connect directly to the Internet through a modem or direct line (such as cable or ISDN) to the ISP. In a Local Area Network, a centralized computer, known as a server, is connected between one or more computers and the Internet. Accordingly, each computer in the LAN can access the Internet through the server.
A hacker is a person who accesses the Internet and seeks to infiltrate a target computer that is also on the Internet (hackers are notorious for reaching the Internet through a server at a university). The target may be a government computer, an educational institution computer or a business computer, for example.
Hackers have many motivations. Sometimes, a hacker may be interested in infiltrating a government computer to alter tax records or manipulate records of criminal convictions. A hacker may be interested in accessing an educational institution""s databases to falsify grades or to fraudulently record credits. Other hackers may infiltrate a business in order to manipulate business orders or to transfer money from one account to another account. The dire consequences of hacking have created an entire industry aimed at preventing hacker infiltration into computers and LANs, and the manipulation of data by hackers on individual computers.
Systems designed to stop hackers typically operate as firewalls or as host based security systems. Firewalls are software programs designed to prevent unauthorized access into a target server or computer connected to the Internet. A firewall typically restricts remote access to the central server by requiring a password to be entered by those desiring remote access before access to the central server will be allowed. If an incorrect password is used too many times, the firewall program will automatically forbid that user from attempting another log-in. In addition, firewalls may also incorporate authentication or encryption technologies to provide for secure Internet transactions.
Host based security systems seek to protect the information stored in a specific target server or a computer connected to the target server (targeted computer). Thus, if a hacker successfully gets through a firewall security system and is able to log on to the central server, he may still face a host based security system. A host based security system will typically require a user to enter a password before allowing that user to have access to a specific program run on that computer or server. If an incorrect password is used too many times the host based security system may forbid that user from attempting another log-in or the host based security system may direct the firewall software to completely forbid access to that local area network connected through the central server.
Unfortunately, hackers may attempt multiple logins disguised as different users. For example, a hacker targeting a server may attempt multiple log-ins under one user ID, and then be rejected by the firewall software and forbidden from using that user ID for any further log-in attempts. However, the hacker then needs only to utilize a different user ID to try to gain access to the server again. Thus, a persistent and technologically sophisticated hacker can often gain access through a firewall. Once access is gained to the server, the hacker may attempt to gain access to a particular program where he may encounter a hostbased security system. Then, in a similar manner, he may attempt to use multiple user IDs to access that specific software and continue his misdeeds until his hacking urges are satisfied.
Therefore, there exists a need for a method and system of spotting hackers that may be using multiple account names or other techniques to gain access to a target, that that can identify the hacker. It would be advantageous for the method to operate in real time. The present invention provides such a method and system.
The present invention achieves technical advantages as a real time method and a system for detecting and reporting potential hacking on a Local Area Network (LAN) or the Internet (collectively xe2x80x9cnetworkxe2x80x9d). The method generally detects a hacking event at a targeted system, and then sends an indication of the hacking event along the packet pathway towards the potential hacker""s access point to the network. The method notifies the server targeted by the potential hacker, as well as other servers located in the network, of the hacking event and xe2x80x9cfingerprintsxe2x80x9d packets originating from the potential hacker. The system generally comprises modules that may be implemented as software. One module detects hacking attempts by a potential hacker and sends reports about the hacking attempts to a second module which collects the reports and takes actions based on the reports. The disclosed invention identifies and thwarts potential hackers in real time, and generates an additional layer of protection in addition to firewalls and host-based security systems, thus making the Internet a more secure place to conduct information exchange.
In one embodiment, the invention is a method of alerting an Internet Service Provider (ISP) or an Internet Connected Server (ICC), that a potential hacker may be using it to attempt to gain unauthorized access to a targeted server. The method includes the steps of detecting a hacking event at the targeted server (target), and reporting the hacking event to a server located outside the target (which could be an ISP functioning as an access point for the potential hacker, or an ICC located in a packet pathway). In addition, the method reports potential hacker information to the target, and tags each packet originating from the potential hacker or an ISP or ICC associated with the hacker (which records the route the packet takes through the Internet). By tagging the packets, every ISP and every ICC that is identified by the tag as being in the packet pathway may be notified of the potential hacker and receive reports of the hacking events. Other sources may be notified of the potential hacker, such as local, state or federal authorities.
Furthermore, packets originating from the potential hacker may be fingerprinted to identify the packet as originating from a potential hacker. The fingerprint includes a risk indicator for associating a risk with the source of the packet. Servers may then make acceptance/rejection decisions about packets based on the fingerprint, the risk indicator, or other information received about the potential hacker.
While the invention is directed primarily at the Internet, it should not be read to be so limited. For example, the potential hacker and the target are often connected to the same server. In addition, the invention should not be read to limit detection and action functions to one particular location in the Internet. For example, any ISP, ICC or server in the packet pathway used by the potential hacker may reject a packet, or identify a source of potential hacking activity, which may be a single terminal, a LAN, an ISP, an ICC, or a server.
In another embodiment, the invention is a computer program for alerting an ISP that a hacker may be using it to attempt access to a target. The computer program generally includes a monitor module for tracking events at a potential target system, and an action module for collecting information and producing reports based on the information. The monitor module includes an authentication failure module for detecting failed log on attempts, and a notification module for notifying ISPs, ICCs, and other servers in the Internet of a hacking event. Likewise, the action module typically includes an information module for broadcasting information about a potential hacker to multiple interested parties, and a fingerprint module that uniquely identifies packets originating from a potential hacker and provides indicators of hacker activity, such as risk indicators.
In yet another embodiment, the invention is a system for providing security to a user of the Internet. The system includes an Internet service provider having an action module, and a target having a monitor module. The monitor module, which is typically executing in a server associated with a destination, detects intrusion attempts by a hacker and sends reports about the intrusion attempts to an action module. The action module, which is typically executing in each server associated with the packet pathway, collects the reports about intrusion attempts and then takes actions based on the reports.